Russia to Introduce Fines for Violations of Critical Information Infrastructure Security

The Russian government has proposed introducing administrative liability for violations of requirements related to the security of critical information infrastructure (CII). A draft law amending the Code of Administrative Offenses (KoAP) has already been submitted to the State Duma for consideration.

Details of the Proposed Fines

According to the document, violations of the rules for creating and ensuring the operation of security systems for CII facilities may result in fines for officials ranging from 10,000 to 50,000 rubles, and for legal entities from 50,000 to 100,000 rubles.

For violations related to the procedures for reporting computer incidents, responding to them, and eliminating the consequences of cyberattacks, officials may be fined from 10,000 to 50,000 rubles, while legal entities may face fines from 100,000 to 500,000 rubles.

Violations of the procedures for exchanging information about cyber incidents with CII entities and other interested parties (such as foreign CERTs—computer emergency response teams) are proposed to be penalized as follows: for managers, from 20,000 to 50,000 rubles; for legal entities, from 100,000 to 500,000 rubles.

Amendments and Enforcement

The authorities plan to implement these changes by expanding articles 13.12 (“Violation of information protection rules”) and 19.7 (“Failure to provide information”), as well as chapter 23 (“Persons authorized to consider cases of administrative offenses”) of the KoAP. The statute of limitations for administrative liability related to CII violations will be set at one year.

The authority to review cases of CII security violations is expected to be granted to the FSB and FSTEC (the latter will be allowed to act only within the framework of articles related to information protection).